Tetrate offers an enterprise-ready, 100% upstream distribution of Istio, Tetrate Istio Subscription (TIS). TIS is the easiest way to get started with Istio for production use cases. TIS+, a hosted Day 2 operations solution for Istio, adds a global service registry, unified Istio metrics dashboard, and self-service troubleshooting.
Get access now ›
Istio uses iptables for traffic hijacking, and there is one rule chain named ISTIO_OUTPUT which contains the following rules.
ISTIO_OUTPUT rule chain
The sidecar applies these rules to deal with different types of traffic. This article will show you the six types of traffic and their iptables rules in Istio sidecar.
iptables Traffic Routing in Sidecar
The following list summarizes the six types of traffic in Sidecar.
- Remote service accessing local service: Remote Pod -> Local Pod
- Local service accessing remote service: Local Pod -> Remote Pod
- Prometheus crawling metrics of local services: Prometheus -> Local Pod
- Traffic between Local Pod services: Local Pod -> Local Pod
- Inter-process TCP traffic within Envoy
- Sidecar to Istiod traffic
The following will explain the iptables routing rules within Sidecar for each scenario, which specifies which rule in ISTIO_OUTPUT is used for routing.
Type 1: Remote Pod -> Local Pod
The following are the iptables rules for remote services, applications, or clients accessing the local pod IP of the data plane.
Remote Pod -> RREROUTING -> ISTIO_INBOUND -> ISTIO_IN_REDIRECT -> Envoy 15006 (Inbound) -> OUTPUT -> ISTIO_OUTPUT RULE 1 -> POSTROUTING -> Local Pod
We see that the traffic only passes through the Envoy 15006 Inbound port once. The following diagram shows this scenario of the iptables rules.
Type 2: Local Pod -> Remote Pod
The following are the iptables rules that the local pod IP goes through to access the remote service.
Local Pod-> OUTPUT -> ISTIO_OUTPUT RULE 9 -> ISTIO_REDIRECT -> Envoy 15001 (Outbound) -> OUTPUT -> ISTIO_OUTPUT RULE 4 -> POSTROUTING -> Remote Pod
We see that the traffic only goes through the Envoy 15001 Outbound port.
The traffic in both scenarios above passes through Envoy only once because only one scenario occurs in that Pod, sending or receiving requests.
Type 3: Prometheus -> Local Pod
Prometheus traffic that grabs data plane metrics does not have to go through the Envoy proxy.
These traffic flows pass through the following iptables rules.
Prometheus-> RREROUTING -> ISTIO_INBOUND (traffic destined for ports 15002, 15090 will go to INPUT) -> INPUT -> OUTPUT -> ISTIO_OUTPUT RULE 3 -> POSTROUTING -> Local Pod
Type 4: Local Pod -> Local Pod
A Pod may simultaneously have two or more services. If the Local Pod accesses a service on the current Pod, the traffic will go through Envoy 15001 and Envoy 15006 ports to reach the service port of the Local Pod.
The iptables rules for this traffic are as follows.
Local Pod-> OUTPUT -> ISTIO_OUTPUT RULE 9 -> ISTIO_REDIRECT -> Envoy 15001(Outbound)-> OUTPUT -> ISTIO_OUTPUT RULE 2 -> ISTIO_IN_REDIRECT -> Envoy 15006(Inbound)-> OUTPUT -> ISTIO_OUTPUT RULE 1 -> POSTROUTING -> Local Pod
Type 5: Inter-process TCP traffic within Envoy
Envoy internal processes with UID and GID 1337 will communicate with each other using lo NICs and localhost domains.
The iptables rules that these flows pass through are as follows.
Envoy process (Localhost) -> OUTPUT -> ISTIO_OUTPUT RULE 8 -> POSTROUTING -> Envoy process (Localhost)
Type 6: Sidecar to Istiod traffic
Sidecar needs access to Istiod to synchronize its configuration so that Envoy will have traffic sent to Istiod.
The iptables rules that this traffic passes through are as follows.
pilot-agent process -> OUTPUT -> Istio_OUTPUT RULE 9 -> Envoy 15001 (Outbound Handler) -> OUTPUT -> ISTIO_OUTPUT RULE 4 -> POSTROUTING -> Istiod
Summary
In this article, you learned about the types of traffic in Sidecar, which will help you troubleshoot. In my next blog, I will take you through the ports of each component in Envoy and their functions to have a more comprehensive understanding of the traffic in Istio.
###
If you’re new to service mesh, Tetrate has a bunch of free online courses available at Tetrate Academy that will quickly get you up to speed with Istio and Envoy.
Are you using Kubernetes? Tetrate Enterprise Gateway for Envoy (TEG) is the easiest way to get started with Envoy Gateway for production use cases. Get the power of Envoy Proxy in an easy-to-consume package managed by the Kubernetes Gateway API. Learn more ›
Getting started with Istio? If you’re looking for the surest way to get to production with Istio, check out Tetrate Istio Subscription. Tetrate Istio Subscription has everything you need to run Istio and Envoy in highly regulated and mission-critical production environments. It includes Tetrate Istio Distro, a 100% upstream distribution of Istio and Envoy that is FIPS-verified and FedRAMP ready. For teams requiring open source Istio and Envoy without proprietary vendor dependencies, Tetrate offers the ONLY 100% upstream Istio enterprise support offering.
Need global visibility for Istio? TIS+ is a hosted Day 2 operations solution for Istio designed to simplify and enhance the workflows of platform and support teams. Key features include: a global service dashboard, multi-cluster visibility, service topology visualization, and workspace-based access control.
Get a Demo